CISA Adds Critical BeyondTrust Vulnerability to Exploited List
Join our weekly newsletters for the latest updates and exclusive content on industry-leading AI, InfoSec, Technology, Psychology, and Literature coverage. Learn More
Introduction
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) software to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, tracked as CVE-2024-12356, has a CVSS score of 9.8, making it a severe risk for organizations using these products.
This addition underscores the urgency for organizations to address vulnerabilities in BeyondTrust software, especially given reports of active exploitation in the wild.
What Is CVE-2024-12356?
Key Details:
- Type of Vulnerability: Command injection.
- Impact: Allows unauthenticated attackers to run arbitrary commands as the site user.
- Severity Score: 9.8 (Critical).
CISA explained that the flaw can be exploited by sending specially crafted commands to vulnerable systems, enabling attackers to execute unauthorized actions.
Affected Versions:
- Privileged Remote Access (PRA): Versions 24.3.1 and earlier.
- Remote Support (RS): Versions 24.3.1 and earlier.
Patches Available:
- PRA: BT24-10-ONPREM1 or BT24-10-ONPREM2.
- RS: BT24-10-ONPREM1 or BT24-10-ONPREM2.
Organizations using self-hosted instances must urgently apply these patches, while BeyondTrust has already addressed the issue in its cloud instances.
Active Exploitation of CVE-2024-12356
The vulnerability’s inclusion in the KEV catalog follows BeyondTrust’s acknowledgment of a cyberattack earlier this month.
Details of the Incident:
- Attackers exploited BeyondTrust’s Remote Support SaaS API key, gaining the ability to reset passwords for local application accounts.
- Investigations are ongoing with assistance from a third-party cybersecurity and forensics firm.
While the exact scale of the attacks and the identity of the threat actors remain unclear, the active exploitation of this flaw has heightened concerns across the cybersecurity community.
Additional Vulnerability: CVE-2024-12686
BeyondTrust’s investigation uncovered another medium-severity vulnerability, CVE-2024-12686, which:
- Severity Score: 6.6.
- Impact: Allows command injection by attackers with administrative privileges.
Affected Versions and Patches:
- PRA: BT24-11-ONPREM1 to BT24-11-ONPREM7 (version-dependent).
- RS: BT24-11-ONPREM1 to BT24-11-ONPREM7 (version-dependent).
Although BeyondTrust reports no evidence of CVE-2024-12686 being exploited in the wild, organizations are urged to patch immediately.
Mitigation Recommendations
Organizations using BeyondTrust PRA and RS software should take the following actions to mitigate risks:
1. Apply Patches Immediately
- Update to the latest patched versions for both PRA and RS as outlined above.
- Ensure both cloud and self-hosted deployments are secured.
2. Monitor for Indicators of Compromise (IOCs):
- Look for unauthorized access attempts or suspicious activity in system logs.
- Use intrusion detection tools to identify exploitation attempts.
3. Implement Access Controls:
- Limit access to PRA and RS systems to trusted IP addresses.
- Enforce strong, unique passwords and multi-factor authentication (MFA) for admin accounts.
4. Enhance Threat Detection Capabilities:
- Use endpoint detection and response (EDR) tools to monitor for anomalous behavior.
- Regularly scan systems for vulnerabilities.
5. Educate Staff:
- Train employees on cybersecurity best practices, especially those managing privileged accounts.
The Bigger Picture
This incident adds to a growing list of vulnerabilities in privileged access management (PAM) solutions being exploited by attackers. The active targeting of BeyondTrust products highlights the persistent risks associated with:
- Unpatched Systems: Even highly secure systems can become vulnerable if patches are delayed.
- Privileged Account Abuse: Gaining control of admin accounts provides attackers with extensive access to critical systems.
Conclusion
The inclusion of CVE-2024-12356 in CISA’s KEV catalog is a stark reminder for organizations to remain vigilant against evolving cyber threats. BeyondTrust’s quick response with patches and transparency about the incident is commendable, but the onus lies with organizations to implement these fixes and bolster their defenses.
By acting swiftly and adhering to CISA’s recommendations, organizations can mitigate the risk of exploitation and protect their critical assets. Cybersecurity remains a shared responsibility—staying proactive is key to staying secure.
Discover more at InnoVirtuoso.com
I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.
For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 🙂
Stay updated with the latest news—subscribe to our newsletter today!
Thank you all—wishing you an amazing day ahead!
